@hiiretail/gcp-infra-cli 0.92.5 → 0.93.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/generators/common-resources/cloud-armor/generator.json +4 -0
- package/generators/common-resources/cloud-armor/index.js +45 -0
- package/generators/common-resources/cloud-armor/templates/policies.yaml +49 -0
- package/generators/common-resources/cloud-armor/templates/terragrunt.hcl +30 -0
- package/generators/docs/rca/templates/docs/rca_external.md +3 -1
- package/generators/docs/rca/templates/docs/rca_internal.md +17 -7
- package/package.json +1 -1
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
const path = require('path');
|
|
2
|
+
const chalk = require('chalk');
|
|
3
|
+
const BaseGenerator = require('../../../src/BaseGenerator');
|
|
4
|
+
const getTribeAndClanName = require('../../init/clan-infra/tribe-clan-repo');
|
|
5
|
+
|
|
6
|
+
module.exports = class extends BaseGenerator {
|
|
7
|
+
prompting() {
|
|
8
|
+
const prompts = [
|
|
9
|
+
{
|
|
10
|
+
type: 'input',
|
|
11
|
+
name: 'name',
|
|
12
|
+
default: getTribeAndClanName().clan,
|
|
13
|
+
message: 'Enter your policy name or leave blank for default',
|
|
14
|
+
},
|
|
15
|
+
];
|
|
16
|
+
return this.prompt(prompts).then((props) => {
|
|
17
|
+
this.answers = props;
|
|
18
|
+
});
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
writing() {
|
|
22
|
+
const {
|
|
23
|
+
name,
|
|
24
|
+
} = this.answers;
|
|
25
|
+
|
|
26
|
+
const run = (env) => {
|
|
27
|
+
this.copyDir(
|
|
28
|
+
path.join(''),
|
|
29
|
+
path.join('infra', env, 'cloud-armor', name),
|
|
30
|
+
);
|
|
31
|
+
};
|
|
32
|
+
run('staging');
|
|
33
|
+
run('prod');
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
end() {
|
|
37
|
+
const {
|
|
38
|
+
name,
|
|
39
|
+
} = this.answers;
|
|
40
|
+
this.log(`
|
|
41
|
+
${chalk.green(`Your cloud armor policy ${chalk.cyan(name)} has been created. To finalize your configuration, please continue
|
|
42
|
+
with manual editing of the generated files.`)}
|
|
43
|
+
`);
|
|
44
|
+
}
|
|
45
|
+
};
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
## This yaml file will configure your cloud armor policies
|
|
2
|
+
## For more information on how to configure the expressions
|
|
3
|
+
## Visit https://cloud.google.com/armor/docs/rules-language-reference
|
|
4
|
+
description: Cloud armor policy
|
|
5
|
+
default-action: allow ## if no requests match any rules this value will be honored ( allow | deny )
|
|
6
|
+
rules:
|
|
7
|
+
deny-no-auth-header:
|
|
8
|
+
action: deny
|
|
9
|
+
priority: 10
|
|
10
|
+
description: Block requests without auth header
|
|
11
|
+
preview: true ## dry run true | false
|
|
12
|
+
## Expression will block any request not containing the authorization header
|
|
13
|
+
expression: >-
|
|
14
|
+
!has(request.headers["authorization"])
|
|
15
|
+
|
|
16
|
+
## Example rules
|
|
17
|
+
# ban-requests:
|
|
18
|
+
# action: rate_based_ban
|
|
19
|
+
# priority: 500
|
|
20
|
+
# description: ban requests if more then 10 with the same authorization token
|
|
21
|
+
# preview: true
|
|
22
|
+
# expression: >-
|
|
23
|
+
# inIpRange(origin.ip, "0.0.0.0/0") && has(request.headers["authorization"])
|
|
24
|
+
# rate_limit_options:
|
|
25
|
+
# exceed_action: deny(502)
|
|
26
|
+
## Ban if we get more than 10 requests in 10 minutes for 40 minutes
|
|
27
|
+
# ban_http_request_count: 10
|
|
28
|
+
# ban_http_request_interval_sec: 600
|
|
29
|
+
# ban_duration_sec: 2700
|
|
30
|
+
## Throttle if we get more than 5 requests every 60 seconds
|
|
31
|
+
# rate_limit_http_request_count: 5
|
|
32
|
+
# rate_limit_http_request_interval_sec: 60
|
|
33
|
+
## Enforce on auth header only
|
|
34
|
+
# enforce_on_key_configs:
|
|
35
|
+
# - enforce_on_key_type: HTTP_HEADER
|
|
36
|
+
# enforce_on_key_name: authorization
|
|
37
|
+
# throttle-requests:
|
|
38
|
+
# action: throttle
|
|
39
|
+
# priority: 1000
|
|
40
|
+
# description: throttle requests from SE (100/minute)
|
|
41
|
+
# preview: true
|
|
42
|
+
# expression: >-
|
|
43
|
+
# inIpRange(origin.ip, "0.0.0.0/0") && origin.region_code == "SE"
|
|
44
|
+
# rate_limit_options:
|
|
45
|
+
# exceed_action: deny(429)
|
|
46
|
+
## Throttle if we get 100 requests per minute from sweden and the same IP
|
|
47
|
+
# rate_limit_http_request_count: 100
|
|
48
|
+
# rate_limit_http_request_interval_sec: 60
|
|
49
|
+
# enforce_on_key: ALL
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
|
|
2
|
+
# working directory, into a temporary folder, and execute your Terraform commands in that folder.
|
|
3
|
+
terraform {
|
|
4
|
+
source = "git::https://github.com/GoogleCloudPlatform/terraform-google-cloud-armor//?ref=v2.0.1"
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
include {
|
|
8
|
+
path = find_in_parent_folders("terragrunt_root.hcl")
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
locals {
|
|
12
|
+
project_vars = read_terragrunt_config(find_in_parent_folders("project.hcl"))
|
|
13
|
+
common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl"))
|
|
14
|
+
policies = yamldecode(file("${get_terragrunt_dir()}/policies.yaml"))
|
|
15
|
+
name = basename(get_terragrunt_dir())
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
inputs = merge(
|
|
19
|
+
{
|
|
20
|
+
project_id = local.project_vars.locals.project_id
|
|
21
|
+
name = local.name
|
|
22
|
+
description = local.policies["description"]
|
|
23
|
+
default_rule_action = local.policies["default-action"]
|
|
24
|
+
type = "CLOUD_ARMOR"
|
|
25
|
+
layer_7_ddos_defense_enable = false
|
|
26
|
+
json_parsing = "STANDARD"
|
|
27
|
+
log_level = "VERBOSE"
|
|
28
|
+
custom_rules = local.policies["rules"]
|
|
29
|
+
}
|
|
30
|
+
)
|
|
@@ -11,9 +11,11 @@ shared with external customers as well as internal stakeholders. Some guidelines
|
|
|
11
11
|
* Include what the problem was and how the customer(s) was affected
|
|
12
12
|
* Do NOT include any customer names
|
|
13
13
|
* Do NOT include any Hii Retail service names or underlying technologies that we are using
|
|
14
|
-
* Include some general action points, such as if additional alerts needs to be added.
|
|
14
|
+
* Include some general action points, such as if additional alerts needs to be added. Do not add details
|
|
15
15
|
* Don't make promises, if there are any actions that we will look at, just mention them. Don't include target dates
|
|
16
16
|
|
|
17
17
|
Example:
|
|
18
18
|
On January 25 2023 from 14:31 CET to 15:59 CET some customers may have experienced delays with card payments. The issue was traced back to a misconfiguration of a recent deployment. At 15:31 CET a fix was deployed and monitored. At 15:59 CET the issue was resolved for all affected customers.
|
|
19
|
+
|
|
20
|
+
We will look into the process of how we update our configuration in production to mitigate these issues going forward.
|
|
19
21
|
-->
|
|
@@ -12,9 +12,15 @@
|
|
|
12
12
|
|
|
13
13
|
**Impact to customer**: <!-- Describe how the customer, and end customers, was affected by the incident. Where they completely unable to use the system? Or was there some feature that wasn't working? -->
|
|
14
14
|
|
|
15
|
-
**Ticket information**:
|
|
15
|
+
**Ticket information**:
|
|
16
16
|
|
|
17
|
-
|
|
17
|
+
<!-- Add link(s) to any Jira issues in the format of:
|
|
18
|
+
|
|
19
|
+
- [EXTINTERAL-1234](https://extendaretail.atlassian.net/browse/EXTINTERAL-1234)
|
|
20
|
+
|
|
21
|
+
-->
|
|
22
|
+
|
|
23
|
+
**Services involved**: <!-- List the Hii Retail-service(s) that were involved in the incident, for example checkout-poslog. If multiple services/systems are involved, just mention the systems such as: Checkout Engine, Store Data etc. -->
|
|
18
24
|
|
|
19
25
|
## Summary
|
|
20
26
|
|
|
@@ -31,10 +37,10 @@ Describe the events that caused the incident, starting from when the issues star
|
|
|
31
37
|
|
|
32
38
|
Example:
|
|
33
39
|
|
|
34
|
-
-
|
|
35
|
-
-
|
|
36
|
-
-
|
|
37
|
-
-
|
|
40
|
+
- 2024-03-27 14.36 CET - Alert X was triggered
|
|
41
|
+
- 2024-03-27 14.36 CET - Team started working on the incident
|
|
42
|
+
- 2024-03-27 14.49 CET - A fix was pushed and deployed
|
|
43
|
+
- 2024-03-27 14.53 CET - Incident was resolved
|
|
38
44
|
-->
|
|
39
45
|
|
|
40
46
|
## Five Whys
|
|
@@ -42,9 +48,11 @@ Example:
|
|
|
42
48
|
<!--
|
|
43
49
|
Five whys is a technique used to explore the cause and effect underlying a particular problem. The primary goal of the technique is to determine the root cause of a problem by repeating the question "Why?". Each answer forms the basis of the next question.
|
|
44
50
|
|
|
51
|
+
Note: It is not a requirement to add exactly 5 whys. If the root cause is found at the third why, it is not necessary to continue. The main point is to find the root cause within 5 steps.
|
|
52
|
+
|
|
45
53
|
Example:
|
|
46
54
|
|
|
47
|
-
Problem
|
|
55
|
+
**Problem**: The vehicle won't start
|
|
48
56
|
|
|
49
57
|
1. __Why?__ - The battery is dead (First why)
|
|
50
58
|
2. __Why?__ - The alternator is not functioning (Second why)
|
|
@@ -53,6 +61,8 @@ Problem: The vehicle won't start
|
|
|
53
61
|
5. __Why?__ - The vehicle was not maintained according to the recommended service schedule. (Fifth why, the root cause)
|
|
54
62
|
-->
|
|
55
63
|
|
|
64
|
+
**Problem**:
|
|
65
|
+
|
|
56
66
|
1. __Why?__
|
|
57
67
|
2. __Why?__
|
|
58
68
|
3. __Why?__
|